Opened 10 years ago

Last modified 7 years ago

#1158 closed defect (Fixed)

[info] circuit_testing_failed() on Fedora 12

Reported by: udo Owned by:
Priority: High Milestone:
Component: Core Tor/Tor Version: 0.2.1.20
Severity: Keywords:
Cc: udo, Sebastian, nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Working Fedora 11 setup with 0.2.1.20 upgraded to Fedora 12.
Rebuilt tor because of newer OpenSSL 1.0.0-fips-beta4 10 Nov 2009
Tor keeps mentioning:
[info] circuit_testing_failed(): Our testing circuit (to see if your ORPort is reachable) has failed. I'll try again later.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Attachments (2)

info.log (24.0 KB) - added by udo 10 years ago.
debug.log (14.2 KB) - added by udo 10 years ago.

Download all attachments as: .zip

Change History (11)

Changed 10 years ago by udo

Attachment: info.log added

Changed 10 years ago by udo

Attachment: debug.log added

comment:1 Changed 10 years ago by udo

I also tried 0.2.2.6, same circuit_testing_failed messages.

comment:2 Changed 10 years ago by udo

the changed keywords in torrc, slightly edited
SocksPort 9050
SocksListenAddress 127.0.0.1
Log debug file /var/log/tor/debug.log
Log info file /var/log/tor/info.log
DataDirectory /var/lib/tor
ControlPort 9051
HashedControlPassword 16:bla
Nickname 1d1dnt3d1th3c0nf1g
Address pindarots.xs4all.nl
ContactInfo Random Person <bla>
ORPort 9001
ExitPolicy reject *:*
BandwidthRate 20 KB
BandwidthBurst 21000
HardwareAccel 1
AccountingStart day 12:21
AccountingMax 2 GB
User _tor

comment:3 Changed 10 years ago by udo

gnutls-2.8.5-1.fc12.i686, BTW

comment:4 Changed 10 years ago by coderman

It looks like beta4 includes a different kind of fix like that anticipated in 0.9.8m:
---

https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt. Re-enable
renegotiation but require the extension as needed. Unfortunately,
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
bad idea. It has been replaced by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
SSL_CTX_set_options(). This is really not recommended unless you
know what you are doing.

---
This requires a change to the way tor_tls_unblock_renegotiation() and tor_tls_block_renegotiation() are used.
EDIT: actually, those two calls are no longer possible in 0.9.8m and 1.0.0beta4 and greater.
Sounds like 0.9.8l is dog food and some are recommending it never be used or supported?

comment:5 Changed 10 years ago by coderman

Confirmed fixed against 1.0.0-beta4 using the new SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option.

diff --git a/src/common/tortls.c b/src/common/tortls.c
index ff49ecf..6f51ef8 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -589,6 +589,10 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)

SSL_CTX_set_options(result->ctx,

SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);

#endif

+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ SSL_CTX_set_options(result->ctx,
+ SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+#endif

/* Don't actually allow compression; it uses ram and time, but the data

  • we transmit is all encrypted anyway. */

if (result->ctx->comp_methods)

comment:6 Changed 10 years ago by udo

The provided patch on top of git appears to work well.
Traffic is picking up again.

comment:7 Changed 10 years ago by Leigh

I just wanted to chime in and say that patch above also works against the latest stable version of tor (tor-0.2.1.20). This issue was a real head scratcher for me, having recently upgraded from fedora 11 to 12 and suddenly there was no traffic. I ended up trying to chase down firewall ghosts that didn't exist. So if you are a fedora 12 user the version of tor on the repositories as of the timestamp on this message will not work. You need to download the source, apply the above patch and configure && make clean && make && make install. Then it should find your ORPort open in only short time.

comment:8 Changed 10 years ago by Sebastian

flyspray2trac: bug closed.
Similar patch in master

comment:9 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.